From 0fa150a12267b69abcfe5e380b698bbbbd37d5de Mon Sep 17 00:00:00 2001 From: Lei Zhang Date: Wed, 1 Aug 2018 17:44:48 +0000 Subject: Fix assertion in opj_j2k_merge_ppt(). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patches in: https://github.com/uclouvain/openjpeg/commit/832dfd18 https://github.com/uclouvain/openjpeg/commit/0c913b0a Also clean up a duplicate patch number and update README.pdfium. BUG=chromium:614691 Change-Id: I282abfe227e2f667418e5d9058e96e253b220de7 Reviewed-on: https://pdfium-review.googlesource.com/39352 Reviewed-by: Nicolás Peña Moreno Commit-Queue: Lei Zhang --- .../0035-opj_j2k_update_image_dimensions.patch | 49 ---------------------- .../0036-opj_j2k_update_image_dimensions.patch | 49 ++++++++++++++++++++++ .../0037-opj_j2k_merge_ppt_leak.patch | 30 +++++++++++++ third_party/libopenjpeg20/README.pdfium | 4 +- third_party/libopenjpeg20/j2k.c | 12 +++++- 5 files changed, 92 insertions(+), 52 deletions(-) delete mode 100644 third_party/libopenjpeg20/0035-opj_j2k_update_image_dimensions.patch create mode 100644 third_party/libopenjpeg20/0036-opj_j2k_update_image_dimensions.patch create mode 100644 third_party/libopenjpeg20/0037-opj_j2k_merge_ppt_leak.patch diff --git a/third_party/libopenjpeg20/0035-opj_j2k_update_image_dimensions.patch b/third_party/libopenjpeg20/0035-opj_j2k_update_image_dimensions.patch deleted file mode 100644 index b918c0586e..0000000000 --- a/third_party/libopenjpeg20/0035-opj_j2k_update_image_dimensions.patch +++ /dev/null @@ -1,49 +0,0 @@ -diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c -index 784a0620a..cea614709 100644 ---- a/third_party/libopenjpeg20/j2k.c -+++ b/third_party/libopenjpeg20/j2k.c -@@ -9223,32 +9223,30 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image, - - l_img_comp = p_image->comps; - for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) { -- OPJ_INT32 l_h, l_w; -- - l_img_comp->x0 = opj_uint_ceildiv(p_image->x0, l_img_comp->dx); - l_img_comp->y0 = opj_uint_ceildiv(p_image->y0, l_img_comp->dy); - l_comp_x1 = opj_int_ceildiv((OPJ_INT32)p_image->x1, (OPJ_INT32)l_img_comp->dx); - l_comp_y1 = opj_int_ceildiv((OPJ_INT32)p_image->y1, (OPJ_INT32)l_img_comp->dy); - -- l_w = opj_int_ceildivpow2(l_comp_x1, (OPJ_INT32)l_img_comp->factor) -- - opj_int_ceildivpow2((OPJ_INT32)l_img_comp->x0, (OPJ_INT32)l_img_comp->factor); -- if (l_w < 0) { -+ OPJ_INT32 l_1 = opj_int_ceildivpow2(l_comp_x1, (OPJ_INT32)l_img_comp->factor); -+ OPJ_INT32 l_2 = opj_int_ceildivpow2((OPJ_INT32)l_img_comp->x0, (OPJ_INT32)l_img_comp->factor); -+ if (l_1 < l_2) { - opj_event_msg(p_manager, EVT_ERROR, -- "Size x of the decoded component image is incorrect (comp[%d].w=%d).\n", -- it_comp, l_w); -+ "Size x of the decoded component image is incorrect (comp[%d].w<0).\n", -+ it_comp); - return OPJ_FALSE; - } -- l_img_comp->w = (OPJ_UINT32)l_w; -+ l_img_comp->w = (OPJ_UINT32)(l_1-l_2); - -- l_h = opj_int_ceildivpow2(l_comp_y1, (OPJ_INT32)l_img_comp->factor) -- - opj_int_ceildivpow2((OPJ_INT32)l_img_comp->y0, (OPJ_INT32)l_img_comp->factor); -- if (l_h < 0) { -+ l_1 = opj_int_ceildivpow2(l_comp_y1, (OPJ_INT32)l_img_comp->factor); -+ l_2 = opj_int_ceildivpow2((OPJ_INT32)l_img_comp->y0, (OPJ_INT32)l_img_comp->factor); -+ if (l_1 < l_2) { - opj_event_msg(p_manager, EVT_ERROR, -- "Size y of the decoded component image is incorrect (comp[%d].h=%d).\n", -- it_comp, l_h); -+ "Size y of the decoded component image is incorrect (comp[%d].h<0).\n", -+ it_comp); - return OPJ_FALSE; - } -- l_img_comp->h = (OPJ_UINT32)l_h; -+ l_img_comp->h = (OPJ_UINT32)(l_1-l_2); - - l_img_comp++; - } diff --git a/third_party/libopenjpeg20/0036-opj_j2k_update_image_dimensions.patch b/third_party/libopenjpeg20/0036-opj_j2k_update_image_dimensions.patch new file mode 100644 index 0000000000..b918c0586e --- /dev/null +++ b/third_party/libopenjpeg20/0036-opj_j2k_update_image_dimensions.patch @@ -0,0 +1,49 @@ +diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c +index 784a0620a..cea614709 100644 +--- a/third_party/libopenjpeg20/j2k.c ++++ b/third_party/libopenjpeg20/j2k.c +@@ -9223,32 +9223,30 @@ static OPJ_BOOL opj_j2k_update_image_dimensions(opj_image_t* p_image, + + l_img_comp = p_image->comps; + for (it_comp = 0; it_comp < p_image->numcomps; ++it_comp) { +- OPJ_INT32 l_h, l_w; +- + l_img_comp->x0 = opj_uint_ceildiv(p_image->x0, l_img_comp->dx); + l_img_comp->y0 = opj_uint_ceildiv(p_image->y0, l_img_comp->dy); + l_comp_x1 = opj_int_ceildiv((OPJ_INT32)p_image->x1, (OPJ_INT32)l_img_comp->dx); + l_comp_y1 = opj_int_ceildiv((OPJ_INT32)p_image->y1, (OPJ_INT32)l_img_comp->dy); + +- l_w = opj_int_ceildivpow2(l_comp_x1, (OPJ_INT32)l_img_comp->factor) +- - opj_int_ceildivpow2((OPJ_INT32)l_img_comp->x0, (OPJ_INT32)l_img_comp->factor); +- if (l_w < 0) { ++ OPJ_INT32 l_1 = opj_int_ceildivpow2(l_comp_x1, (OPJ_INT32)l_img_comp->factor); ++ OPJ_INT32 l_2 = opj_int_ceildivpow2((OPJ_INT32)l_img_comp->x0, (OPJ_INT32)l_img_comp->factor); ++ if (l_1 < l_2) { + opj_event_msg(p_manager, EVT_ERROR, +- "Size x of the decoded component image is incorrect (comp[%d].w=%d).\n", +- it_comp, l_w); ++ "Size x of the decoded component image is incorrect (comp[%d].w<0).\n", ++ it_comp); + return OPJ_FALSE; + } +- l_img_comp->w = (OPJ_UINT32)l_w; ++ l_img_comp->w = (OPJ_UINT32)(l_1-l_2); + +- l_h = opj_int_ceildivpow2(l_comp_y1, (OPJ_INT32)l_img_comp->factor) +- - opj_int_ceildivpow2((OPJ_INT32)l_img_comp->y0, (OPJ_INT32)l_img_comp->factor); +- if (l_h < 0) { ++ l_1 = opj_int_ceildivpow2(l_comp_y1, (OPJ_INT32)l_img_comp->factor); ++ l_2 = opj_int_ceildivpow2((OPJ_INT32)l_img_comp->y0, (OPJ_INT32)l_img_comp->factor); ++ if (l_1 < l_2) { + opj_event_msg(p_manager, EVT_ERROR, +- "Size y of the decoded component image is incorrect (comp[%d].h=%d).\n", +- it_comp, l_h); ++ "Size y of the decoded component image is incorrect (comp[%d].h<0).\n", ++ it_comp); + return OPJ_FALSE; + } +- l_img_comp->h = (OPJ_UINT32)l_h; ++ l_img_comp->h = (OPJ_UINT32)(l_1-l_2); + + l_img_comp++; + } diff --git a/third_party/libopenjpeg20/0037-opj_j2k_merge_ppt_leak.patch b/third_party/libopenjpeg20/0037-opj_j2k_merge_ppt_leak.patch new file mode 100644 index 0000000000..3ea17f9390 --- /dev/null +++ b/third_party/libopenjpeg20/0037-opj_j2k_merge_ppt_leak.patch @@ -0,0 +1,30 @@ +diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c +index cea614709..afcd597ee 100644 +--- a/third_party/libopenjpeg20/j2k.c ++++ b/third_party/libopenjpeg20/j2k.c +@@ -4085,7 +4085,12 @@ static OPJ_BOOL opj_j2k_merge_ppt(opj_tcp_t *p_tcp, opj_event_mgr_t * p_manager) + /* preconditions */ + assert(p_tcp != 00); + assert(p_manager != 00); +- assert(p_tcp->ppt_buffer == NULL); ++ ++ if (p_tcp->ppt_buffer != NULL) { ++ opj_event_msg(p_manager, EVT_ERROR, ++ "opj_j2k_merge_ppt() has already been called\n"); ++ return OPJ_FALSE; ++ } + + if (p_tcp->ppt == 0U) { + return OPJ_TRUE; +@@ -8836,7 +8841,10 @@ OPJ_BOOL opj_j2k_read_tile_header(opj_j2k_t * p_j2k, + + /* Current marker is the EOC marker ?*/ + if (l_current_marker == J2K_MS_EOC) { +- p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_EOC; ++ if (p_j2k->m_specific_param.m_decoder.m_state != J2K_STATE_EOC) { ++ p_j2k->m_current_tile_number = 0; ++ p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_EOC; ++ } + } + + /* FIXME DOC ???*/ diff --git a/third_party/libopenjpeg20/README.pdfium b/third_party/libopenjpeg20/README.pdfium index 1805000634..2c944d5999 100644 --- a/third_party/libopenjpeg20/README.pdfium +++ b/third_party/libopenjpeg20/README.pdfium @@ -27,4 +27,6 @@ Local Modifications: 0026-use_opj_uint_ceildiv.patch: Remove (OPJ_UINT32)opj_int_ceildiv((OPJ_INT32)a, (OPJ_INT32) b). 0033-undefined-shift-opj_t1_dec_clnpass.patch: fix undefined shifts originated from opj_t1_decode_cblk. 0034-opj_malloc.patch: PDFium changes in opj_malloc. -0035-opj_j2k_update_image_dimensions.patch: fix integer overflow. +0035-opj_image_data_free.patch: Use the right free function in opj_jp2_apply_pclr. +0036-opj_j2k_update_image_dimensions.patch: fix integer overflow. +0037-opj_j2k_merge_ppt_leak.patch: fix memory leak. diff --git a/third_party/libopenjpeg20/j2k.c b/third_party/libopenjpeg20/j2k.c index cea6147096..afcd597ee0 100644 --- a/third_party/libopenjpeg20/j2k.c +++ b/third_party/libopenjpeg20/j2k.c @@ -4085,7 +4085,12 @@ static OPJ_BOOL opj_j2k_merge_ppt(opj_tcp_t *p_tcp, opj_event_mgr_t * p_manager) /* preconditions */ assert(p_tcp != 00); assert(p_manager != 00); - assert(p_tcp->ppt_buffer == NULL); + + if (p_tcp->ppt_buffer != NULL) { + opj_event_msg(p_manager, EVT_ERROR, + "opj_j2k_merge_ppt() has already been called\n"); + return OPJ_FALSE; + } if (p_tcp->ppt == 0U) { return OPJ_TRUE; @@ -8836,7 +8841,10 @@ OPJ_BOOL opj_j2k_read_tile_header(opj_j2k_t * p_j2k, /* Current marker is the EOC marker ?*/ if (l_current_marker == J2K_MS_EOC) { - p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_EOC; + if (p_j2k->m_specific_param.m_decoder.m_state != J2K_STATE_EOC) { + p_j2k->m_current_tile_number = 0; + p_j2k->m_specific_param.m_decoder.m_state = J2K_STATE_EOC; + } } /* FIXME DOC ???*/ -- cgit v1.2.3